lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <012201c44d5c$8584cf20$6702a8c0@AlanPickel.com>
Date: Tue, 8 Jun 2004 09:28:44 -0400
From: "Michael Evanchik" <Mike@...haelEvanchik.com>
To: "Gadi Evron" <ge@...uxbox.org>, "Jelmer" <jkuperus@...net.nl>
Cc: <bugtraq@...urityfocus.com>, <full-disclosure@...ts.netsys.com>,
   <peter@...lomatmail.net>
Subject: Re: Re: Internet explorer 6 execution of arbitrary code (An analysis of the 180 Solutions Trojan)

Although this ms-its exploit has been around ,the true author of finding this is an UNKNOWN author.  I remember when it was _reported_ by Thor but he did not take credit.  As for it being 0-day.  It sure is.  None of microsofts's patches stop it nor did Norton AntiVirus Corp.  I have no idea who you are Gadi to give such comments like that.

Michael Evanchik

www.MichaelEvanchik.com 
  ----- Original Message ----- 
  From: Gadi Evron 
  To: Jelmer 
  Cc: bugtraq@...urityfocus.com ; full-disclosure@...ts.netsys.com ; peter@...lomatmail.net 
  Sent: Monday, June 07, 2004 4:47 PM
  Subject: [Full-Disclosure] Re: Internet explorer 6 execution of arbitrary code (An analysis of the 180 Solutions Trojan)


  Comments inline.

  Jelmer wrote:

  > Just when I though it was save to once more use internet explorer I received
  > an email bringing my attention to this webpage
  > http://216.130.188.219/ei2/installer.htm   that according to him used an
  > exploit that affected fully patched internet explorer 6 browsers. Being
  > rather skeptical I carelessly clicked on the link only to witness how it
  > automatically installed addware on my pc!!!

  So, you just clicked on the link which was reported as unsafe, did you? :)

  Those protocol handlers always seem to cause problems and it's not just 
  on Windows, Apple has had just as many problems in dealing with these 
  for OS X. If it's not a lack of input validation then it is a lack of 
  zone restrictions, perhaps the entire concept of higher privileged zones 
  of any kind should be abandoned.

  Are these really new vulnerabilities or just variants of old? The 
  "Location: URL:" proxy really just looks like the "Location: File:" 
  proxy that Liu Die Yu reported and the object caching stuff really just 
  looks like a variation of the advisories from GreyMagic back in 2002 
  with the showModalDialog caching and javascript: injection. Other than 
  those 2, the only real vulnerability on the page is the Ibiza chm stuff 
  which still works on plenty of fully patched machines.

  > Now there had been reports about 0day exploits making rounds for quite some
  > time like for instance this post
  >  
  > http://www.securityfocus.com/archive/1/363338/2004-05-11/2004-05-17/0 

  Why is this a 0-day? Are you trying to start a holy war here? Please 
  explain why this is a 0-day if you make such claims.

  > However I hadn't seen any evidence to support this up until now
  > Thor Larholm as usual added to the confusion by deliberately spreading
  > disinformation as seen in this post
  >  
  > http://seclists.org/lists/bugtraq/2004/May/0153.html

  Thor? Spreading disinformation?

  > Attributing it to and I quote "just one of the remaining IE vulnerabilities
  > that are not yet patched"

  That sounds about right.

  > I’ve attempted to write up an analysis that will show that there are at
  > least 2 new and AFAIK unpublished vulnerabilities (feel free to proof me
  > wrong) out there in the wild, one being fairly sophisticated 

  I, personally, appreciate any serious research work, but why put down a 
  colleague while you're at it?

  > You can view it at:
  > 
  > http://62.131.86.111/analysis.htm
  > 
  > Additionally you can view a harmless demonstration of the vulnerabilities at
  > 
  > http://62.131.86.111/security/idiots/repro/installer.htm
  > 
  > Finally I also attached the source files to this message

  If this really was a 0-day, isn't that a tad irresponsible?

  As to Thor...

  You are claiming that he is deliberately spreading disinformation, but 
  then you proceed to verify his claims.

  Are you sure you don't just have a personal vendetta against him?
  I don't see what's wrong with him pitching his product (Quik-Fix (?)) 
  when reporting his research. That's how the industry work.

  You do research and advertise the company that did it, and what solution 
  it offers.
  Working for free doesn't put food on the table and he has a product that 
  might actually protects against such issues. What's next, you will 
  complain about AV companies who say they detect a virus or security 
  researchers that get paid to work instead of living off the street 
  credit from the security mailing lists? Maybe you just don't like 
  companies of any kind.

  As to the research itself...

  Thor went through the hnc3k.com website and listed all the pages and 
  vulnerabilities on it, which sounds like an exhaustive task to me. But 
  didn't you do the same and when analyzing the 180 solutions Trojan 
  pages? It sounds pretty exhaustive as well.

  The difference is that Thor also told you how to protect against this, 
  by locking down the My Computer zone. I can't see anywhere that Thor was 
  referring to the object caching vulnerability you are listing as new. In 
  my mind, he was referring to the old Unpatched page that he used to 
  maintain and that would mean he said some of those are still not patched.

  I miss that page. It was very good.

  We know that Ibiza still works and that there are still problems with 
  the SSL certificate handling in IE, don't you think he was just 
  referring to those? From this side it really just looks as if you are 
  trying to deal a low blow against Mr. Larholm because you have some 
  personal grudge against him.

  I hope I provided you with information to re-think your claims. Also, 
  please try and keep your grudges to yourself where 50K plus busy people 
  need to sift through vital information?

  Gadi Evron.

  -- 
  Email: ge@...uxbox.org.  Work: gadie@....gov.il. Backup: ge@...p.mx.dk.
  Phone: +972-50-428610 (Cell).

  PGP key for attachments: http://vapid.reprehensible.net/~ge/Gadi_Evron.asc
  ID: 0xD9216A06 FP: 5BB0 D3E2 D3C1 19B7 2104  C0D0 A7B3 1CF7 D921 6A06
  GPG key for encrypted email: 
  http://vapid.reprehensible.net/~ge/Gadi_Evron_Emails.asc
  ID: 0x06C7D450 FP: 3B88 845A DF1F 4062 E5BA  569A A87E 8DB7 06C7 D450

  _______________________________________________
  Full-Disclosure - We believe in it.
  Charter: http://lists.netsys.com/full-disclosure-charter.html
Content of type "text/html" skipped

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ